Security Infrastructure Automation for Check Point Firewalls
Without automation, IT operations teams would spend countless hours gathering diagnostics and device data to keep firewalls up and running. IT teams that manage Check Point firewalls are often limited in staff which adds to the need for automation. The typical network administrator spends 70% of his or her time identifying and remediating known errors.
EIghty percent of outages (source) can be avoided if IT operations teams receive an advanced notice with respect to common issues stemming from hidden configuration skew, forgotten ongoing maintenance, or a combination of lack of adherence to vendor, industry, and High Availability best practices.
Here at Indeni, we have been building many automation elements over the years to help you identify latent issues. Our goal is to stop “2 A.M.” calls and start getting ahead. We know that notifications are supposed to make the job easier. Instead of making you guess, our platform watches your security devices like a senior administrator and provides actionable remediation steps to help you fix issues. We build automation elements continuously curated from vetted, community-sourced IT professionals. No one knows better than someone who’s experienced it, and outages can be avoided if something can tell you ahead of time.
Security Infrastructure Automation Use Cases
Our automation coverage spans a variety of use cases. The table below provides a summary of Indeni Auto-Detect Elements (ADE).
Use Case | # of ADE | Description |
Stateful Health Checks | 142 | Continuously assess device health by comparing expectations of device configuration against reality of current status. For example, the system tracks the number of concurrent connections. As connections are approaching the device limit, the system proactively notify users before the service is impacted. Actionable information for detected issues is provided including description, remediation steps, and links to relevant CheckPoint Knowledge articles. |
High Availability Readiness | 51 | Constant detection of HA unreadiness from cross-device inconsistencies in security policies, forwarding tables, and other configuration and state. This category of elements automates the process to ensure a firewall cluster failover is seamless. |
Proactive Maintenance Notification | 10 | Cross off often forgotten maintenance tasks such as identifying: – Upcoming license expiration nearing – SSL certificate expiration nearing – Software end of Support nearing |
Organization Standards | 11 | Consistent measurement of device configuration skew against locally-defined organizational standards. |
Security Risks | 15 | Apply baseline security standards across devices and raise alerts for security and compliance violations. This includes support for the Center for Internet Security (CIS) CheckPoint Firewall benchmark. |
Vendor Best Practices | 38 | Continuously assess devices for alignment with configuration recommendations from Check Point and seasoned practitioners. |
For a complete list of ADEs for Check Point GAiA devices, click to download the list.
New Auto-Detect Elements
Recently, we have added a significant number of ADEs to gather more relevant and important device health checks. On the security front, we added several device hardening ADEs to reduce the risk of unauthorized access. We also added support for SecureXL DoS to ensure that your firewall is protecting your organization from denial-of-service attacks.
Device Hardening
- Check for Strong passwords. Ensure minimum password length is set to a user defined length. Ensure the password contains a combination of uppercase and lowercase letters, numbers and special characters.
- Ensure password complexity is set to 3.
- Close inactive SSH session automatically. Ensure a timeout for automatic disconnection for inactive sessions is set. The wait time is >0 and <10 minutes by default. The timeout value is user configurable.
- Ensure “Login Banner” is set to prohibit unauthorized access.
- Ensure remote management is using SSH v2 and not SSH v1.
- Ensure that the local admin user accounts will not be blocked by checking that the CLI accounts are not being blocked under any circumstances.
- Ensure device management is only accessible from the management LAN network only.
- Ensure activity logs and audit records are enabled.
SecureXL DoS
New ADE to detect the following conditions:
- SecureXL DoS deny list disabled.
- SecureXL DoS rate limit disabled.
- SecureXL DoS log IP penalty box disabled.
- SecureXL DoS log drops disabled.
- SecureXL DoS pbox disabled.
- DoS blade penalty box drop counter is 0.
- Dos_pbox entries appear in a whitelist of IPs.
New SecureXL ADE
Up until recently, we only collected the global status of SecureXL and alerted based on enable/disable status. We’ve since then added several new alerts if SecureXL is disabled by the firewall as a result of certain conditions.
- SecureXL Accept template disabled.
- SecureXL Drop template disabled.
- SecureXL NAT template disable.
- SecureXL No Match Ranges (NMR) template disabled.
- SecureXL No Match Time (NMT) template disabled.
Other New ADE
- Management API status down.
- Light Out Management interfaces configured with default IP address.
Summary
Indeni provides security infrastructure automation with an unprecedented level of visibility. We have automated the world’s best practices to deliver predictive and actionable insights that help you prevent costly disruptions.
We will continue to develop new automation elements to help you manage your security infrastructure and to prevent costly disruptions. If you don’t see the ADE you’re looking for, you can always let us know. If you are new to Indeni, we invite you to download a free trial today.